fraud_reportswikiaorg-20200214-history
Spammer Economy and Infrastructure
Description From the bottom to the top of the spammer food chain, here is a list of everyone involved in sending spam, and profiting from spam. A diagram has also been provided to show the interrelationships these entities share with each other. Note that in many cases, each entity is a single individual, acting alone. Exceptions will be discussed within each entity's description. For the purposes of clarity, this outline is focusing primarily on product-based spamming (pharmaceuticals, "herbal remedies", replica watches, "OEM" software, etc.) as opposed to stock spamming, which differs slightly. Mailers Mailers are individuals who have purchased Spam Software. Examples include WarpSpeed Mailer by "Phantom", Australia, Send-Safe by Ruslan Ibragimov, Russia, Dark Mailer by Nikhil Kumar Pragji, Australia. Mailers (whom we all commonly refer to as "spammers") are the final link in the spam food chain. They sign up to affiliate programs offered by one or more Sponsor Organizations, are provided with distinct and unique Bulletproof Domains to use within their spam messages to promote product types offered by the sponsor group. The mailer receives a percentage of the selling price of whatever the spam recipient ends up purchasing, provided they click through their domain to purchase it. These commissions typically range from 30% - 40%, but can go higher depending on the product. List Providers or Email Harvesters These are individuals who specialize in the "harvesting" of email addresses via many different methods. Typically, if they are operating illegally (i.e. "non-compliant", in reference to compliance with the CAN-SPAM law,) they will have acquired these email addresses by harvesting them directly from a series of websites, scraping every possible web page they can discover by any means, and adding the email addresses to their lists. Others acquire them by actively hacking into large databases, or acquiring them from people with access to large databases of known lists from legitimate companies or corporations. There have been several high-profile convictions of employees of companies such as AOL.com who knowingly sold large lists of email addresses in this way while still in their employ. Sometimes these list resellers will sell very specifically targeted lists to mailers who want only a very specific audience. Those providers tend to operate in a more legal and "compliant" way, as do the mailers they deal with. Some examples of the specificity of the lists provided in these cases include: * Lists of consumers of controlled pharmaceuticals (usually strong pain killers such as Vicodin or Hydrocodone, or other drugs like Phentermine.) * Lists of homeowners who have requested to be informed about refinancing. * Males aged 20 - 35 who are single and looking for new dating sites. * Women aged 19 - 35 who are on diets or interested in diet products. Spam Software Developers Spam Software Developers use nicknames like Phantom, Crypto, Bysin, Caesar, etc. Their products include WarpSpeed Mailer, Send-Safe, Dark Mailer, among others. Some mailers are also developers and may create their own software to send spam via the use of a botnet infrastructure. There are developers who have created applications for sending large amounts of email to a many recipients using some distributed method, and in a way which is customizable by the user. Features may include: * Header randomization or obfuscation * "From" or "Reply-to" randomization or obfuscation * Specific randomization of sender-agent (the header that tells what program sent the message.) * Templates with randomization of either the copy or the layout of the email message * Randomized rotation of spamvertised URL * Dynamically generated image attachments These programs sell for the mid-hundreds of dollars. Usually the well-known applications are sold on an invitation only basis, and only via private means. For example, Phantom, a user on the Bulkerforum.biz forum website, has never publicly advertised that his WarpSpeed Mailer product is actively available for sale. Instead he has conducted individual sales via ICQ, private messaging or email only. The product will not work unless Phantom activates the license for the software. Mailers and other individuals are often seen selling copies, or cracked versions, of several of these programs. Some of them, such as DarkMailer or Nexus, are even offered for free on certain forums. This may be because the message configuration of those mailers is now less effective at getting through many spam filters. This type of spam software often relies on access to botnets, so that mailing to a large list (millions of recipients) can take place in a relatively short time, using a distributed method of sending. Other types of mailers are what are known as "direct" mailers. They send from one location or IP address, and send individually to a large list of recipients, directly by acting as their own email gateway. Another example is the "internal mailer," usually used to target a very specific free-mail provider's users (e.g. Gmail, Yahoo, Hotmail, AOL.) These use many automatically-created accounts to act as the "from" address in that system (e.g. deuyeffuygueg@hotmail.com) to send to that specific free-mail provider's users (i.e. hotmail.com addresses only.) These have been prevalent with mailers promoting the "Canadian Pharmacy" property on behalf of the sponsor known as "Spamit" or "Glavmed." These have been created to take advantage of the fact that Hotmail's filters (as an example) have a habit of whitelisting Hotmail accounts, allowing their first messages to always be delivered, thus bypassing Hotmail's spam filters. Offshore Bank or ATM Account Providers These are quite rare but provide what is arguably an important service to members of the spam community: a means of receiving payment for any number of commissions, be it from pharmacy spamming on behalf of a pharmacy sponsor, or receipt of funds for programming a new type of virus infection for the purposes of increasing the size of a botnet. Costs involved in the setup of these accounts are quite high, usually several hundreds of dollars. Accounts are set up in such locations as Switzerland, the Netherlands, Mauritius (an especially popular location) and Panama (becoming increasingly popular.) This is a form of money laundering, providing an indirect link between the payer (e.g. stock sponsor) and the mailer, using an offshore third party to transfer the money to the mailer's actual account. Botnet Leasers And Operators These are individuals who provide access to a medium or large-scale botnet, or "network of bots" consisting of compromised home and business PC's. For the purposes of the spammer economy, these are primarily leased by the hour and are used specifically for the sending of large amounts of spam email to large lists of recipients. Botnets are used for a wide variety of activities, most of them malicious, such as performing attacks on specified online targets - websites or name servers. Mailers primarily need them so that their Spamming software can quickly send a large number of messages automatically, using the botnet as a distributed method. Hourly rates for mailers, specifically for the purposes of mailing or spamming, are in the range of $10 - $15 per hour on a moderately sized botnet. Some are rented on a monthly basis for several thousand dollars, usually with very specific restrictions on the desired usage of the botnet during that period. Owners who promote these services will set up the deal in the manner shown in this thread from December 2006: http://bulkerforum.biz/viewtopic.php?t=513 TOPIC: Botnetwork rent SkyNet Joined: 15 Sep 2006 Posts: 13 Posted: Mon Dec 18, 2006 10:07 am Post subject: Botnetwork rent Type1 Botnetwork rent, our software for mailing. 800 bots online - $1500 1500 bots online - $3000 3000 bots online - $5000 Type2 Botnetwork rent, your software for mailing. 1000 bots online - $2000 3000 bots online - $5000 5000 bots online - $7000 Type3 Our software for rent, your bots. 1 server - $3000 2 servers - $5000 3 servers - $7000 One server can work with 3000 online bots In all types: bots with 25 open port are specified, and they are ready for mailing. With kindest regards, SkyNet Laboratory http://skynet-laboratory.com/ skynetlaboratory@yahoo.com ICQ:888812 Last edited by SkyNet on Mon Jan 08, 2007 11:33 am; edited 3 times in total 20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST) jestersback Joined: 20 Sep 2006 Posts: 27 Posted: Mon Dec 18, 2006 11:15 am Post subject: Can we have that in English? It seems that everytime I see the word 'botnet', 'installs' or 'proxies' its in Russian, this is getting very frustrating.. Can anyone translate for me? 20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST) Spyda Joined: 17 Dec 2006 Posts: 56 Posted: Mon Dec 18, 2006 4:12 pm Post subject: NO Abla English!? J/k c'mon jester translate that for me Smile 20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST) Crypto Joined: 15 Sep 2006 Posts: 267 Posted: Mon Dec 18, 2006 5:11 pm Post subject: hmm Here u go: ........................ Dear members Skynet Mailer + BotNet We have created a system for SkynetMailer for windows wich will work with botnets Skynet Mailer starts a server to accept connections. Bot connects to the server where skynet mailer is installed and takes pools of letters ready for dispatch and electronic addresses Functions/Futures: 1. work with any botnet(via loading of our botmailer aka spambot) loader 3.5Kb-> bot mailer 120kb (option to do exe install's by yourself) 2.Option to automaticly connect servers (On windows server is not recomended to hold more than 3000 of mailers online !) 3. hmm theres no option 3, let's pass to 4 :) 4. Option to work with image morphing (creation of random images) 5. and many other futures With respect, SkyNet Laboratory http://skynet-laboratory.com/ ICQ:888812 -------------------------------------- 2007 will be an intresting year, btw spamhaus prepares some presents for mailers with botnets. PS:who other from here, speaks russian also except skeynet :) Botnet Install Sales (iframemoney, etc.) These are people who specialize in signing up individuals to place infections or exploit code on either their own websites, or hacking into other people's websites and placing them on pages of those websites, for the purposes of infecting as many unsuspecting users as possible with botnet code. This type of infection is known as a "drive by" install by antivirus vendors and security experts. Commission is based on the location of the infection, and the quantity. Typically the US, Canada, and the UK are the highest paying infection locations, often commanding anywhere from $30 - $50 per 1,000 infections. Affiliate programs known to have been behind these operations include: * iframemoney.com .org, .biz, .us * kamilet.info Here is a thread from bulkerforum.biz dating from October, 2007 in which a member of the forum is attempting to sign up individuals to perform infections: http://bulkerforum.biz/viewtopic.php?t=2491 TOPIC: Botnet Installs/up to 20k per day/$50 per 1k/492-804-072 cyborg Joined: 22 Jul 2007 Posts: 33 PostPosted: Fri Oct 19, 2007 11:25 pm Post subject: Botnet Installs/up to 20k per day/$50 per 1k/492-804-072 Virgin exclusive loads Usa - $50 per 1k Jp - $25 per 1k Also have alot of adult traffic installs. All diff countrys contact me for more info 492-804-072 Note the use of the term "loads". In the spammer community, this is a euphemism for "an infected Windows PC." Sponsors and mailers often post that they are "looking for loads," meaning that they are looking for freshly-infected PC's to use in their mailing runs or for other purposes. These are also referred to as "Peas" or "p's," (short form for "IP's" or "eye peas".) Proxy Providers or Resellers These are at the opposite end from the above-mentioned "Botnet Install" resellers, but are often related. While the previous group seeks people to perform the "drive by install" of their particular infection, the Proxy reseller is the one (sometimes the same person) selling the availability of already-infected Windows PC's, again mainly for the purposes of sending large amounts of spam. These are usually referred to as "proxies", or as above "peas". They are sold in terms of "slots," where a "slot" is a single available space, comprising some portion of the bot network for the exclusive use of the individual who purchases time on the botnet. Examples of attempts to promote the availability of "proxies" on bulkerforum.biz: http://bulkerforum.biz/viewtopic.php?t=3008 TOPIC: proxy slots available MastaP Joined: 16 Mar 2007 Posts: 87 PostPosted: Sun Mar 09, 2008 12:57 pm Post subject: proxy slots available I got some free proxy slots at the moment. 3-5k connects updates 3 mins honeypot scanned etc. hit me for free sample & prices icq: 277819069 skype: p1tb0ss http://bulkerforum.biz/viewtopic.php?t=2833 TOPIC: Very reasonable proxy Bulkhaven Joined: 15 Sep 2006 Posts: 28 Posted: Mon Dec 17, 2007 2:41 pm Post subject: Very reasonable proxy I have 2 slots open on the master list I will let go at a good discount just to keep the slots full Catch me at : Bulkhaven2@aol.com Thanks 20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST) kibble Joined: 13 Nov 2007 Posts: 100 Posted: Mon Dec 17, 2007 7:07 pm Post subject: Good Prices. _________________ eeeeeeeeeeeeeeeee! Bulletproof Domain Registration These are individuals who act on behalf of a sponsor company (see below) who require mailers to promote their products. Using automated means, they will register several thousandsup to tens of thousands of domain names for the purposes of being promoted via spamming. These disposable domains typically have a very short lifespan, which is why so many are required. The domains are often registered using stolen credit cards or stolen PayPal accounts. Invariably these domains are registered using 100% fake contact information im breach of ICANN requirements for domain registration. In the past, certain sponsors have been associated with a subset of known fake contacts, including the "Gary Reed", "Gregory William" and "Paul Gregoire" registrant information. These were as the registrant of domains of notorious spamvertised properties between 2005 and 2007. Three examples: Name: paul gregoire Address: 175 Montreal Road 304 vanier, on K1L 6E4 CA Email Address: gregoirep@coldmail.ca Phone Number: (613)255-2162 Registrant Contact: bphosting gregory william (gregwill@coldmail.ca) +1.6047678695 Fax: +1.5555555555 1808 Bowen road nanaimo, BC V9S 5W4 CA gary reed garyr@coldmail.ca 3495 Cambie Street 150 vancouver BC V5Z 4R3 CA Phone: +1.6047678695 These have since been retired. In early 2008, fake Chinese contact information has been used predominantly for domains registered for VPXL and "Canadian Pharmacy", during the registration of several million domain names: Administrative Contact: LiMing Li Ming NO.38,YongFeng street,Tianchange City,Anhui Province Tianchange Anhui 239355 CN tel: 550 2400568 fax: 550 2400568 yayun22@163.com Technical Contact: LiMing Li Ming NO.38,YongFeng street,Tianchange City,Anhui Province Tianchange Anhui 239355 CN tel: 2400568 fax: 2400568 yayun22@163.com Billing Contact: LiMing Li Ming NO.38,YongFeng street,Tianchange City,Anhui Province Tianchange Anhui 239355 CN tel: 2400568 fax: 2400568 yayun22@163.com Despite being harder to investigate or report due to unfamiliarity with Chinese regional addresses, they are invariably fake, and attached to domains which have been registered using a stolen credit card or PayPal account. Registrars who have approved the automated registration of millions of these so-called "bulletproof" registrations include: * Xin Net (also known to law enforcement investigators as "Paycenter") * Joker.com (also known as "Computer Services Langenbach GMBH doing business as Joker.com", and CSL Computer Service) * Beijing Innovative Linkage Technology Ltd. Doing business as dns.com.cn * eNom Inc. * Todaynic.com Inc. * BizCN * Moniker Online Services XIN NET / Paycenter remains the top provider of these throwaway domains. Despite receiving thousands of complaints from consumers around the world, they have only shut down a tiny number of these domains, often incompletely. Providing these spammable domains to mailers is a primary service that a sponsor provides, and shutting down these domains goes a long way towards impacting the profitability of a sponsor company or organization. The mailer in this case is typically unaffected by the shutdown of several thousand domains, because the sponsor can easily reassign several thousand new ones for use in the mailer's next spam run. Bulletproof Hosting Providers This is related to the above-mentioned Domain registrations. "Bulletproof hosting", or "BP hosting", is hosting which will remain active and stable despite a high number of complaints. Research has shown that this is actually not always the case, since in the experience of consumers who have managed to complain to hosting providers, it typically takes only a handful of complaints to have hosting shut down. Consequently there has been a rise in botnet-supported or "Fast flux" hosting. Here, a large botnet of infected PC's acts as the active IP address for a set of domain names for a short period of time. This is evidenced by performing the unix command "dig" against a given domain name. A standard, legitimate website typically is hosted at one single IP address. A large corporate site may expand to 3 or 4 addresses: %dig amazon.com ; <<>> DiG 9.3.3 <<>> amazon.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10578 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 5 ;; QUESTION SECTION: ;amazon.com. IN A ;; ANSWER SECTION: amazon.com. 60 IN A 72.21.203.1 amazon.com. 60 IN A 72.21.206.5 amazon.com. 60 IN A 72.21.210.11 ;; AUTHORITY SECTION: amazon.com. 86400 IN NS pdns1.ultradns.net. amazon.com. 86400 IN NS pdns2.ultradns.net. amazon.com. 86400 IN NS pdns3.ultradns.org. amazon.com. 86400 IN NS pdns4.ultradns.org. amazon.com. 86400 IN NS pdns5.ultradns.info. amazon.com. 86400 IN NS pdns6.ultradns.co.uk. ;; ADDITIONAL SECTION: pdns3.ultradns.org. 84313 IN A 199.7.68.1 pdns4.ultradns.org. 84313 IN A 199.7.69.1 pdns4.ultradns.org. 84313 IN AAAA 2001:502:4612::1 pdns5.ultradns.info. 84313 IN A 204.74.114.1 pdns6.ultradns.co.uk. 170713 IN A 204.74.115.1 A botnet hosted domain name will usually have between a hundred and several thousand addresses, all of which rotate after a set period of time ranging from several seconds to several minutes: %dig xtmidwest.com ; <<>> DiG 9.3.3 <<>> xtmidwest.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36780 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;xtmidwest.com. IN A ;; ANSWER SECTION: xtmidwest.com. 180 IN A 24.183.216.62 xtmidwest.com. 180 IN A 75.178.34.175 xtmidwest.com. 180 IN A 81.84.140.124 xtmidwest.com. 180 IN A 86.101.255.253 xtmidwest.com. 180 IN A 89.212.77.46 xtmidwest.com. 180 IN A 89.228.129.74 xtmidwest.com. 180 IN A 98.227.5.125 xtmidwest.com. 180 IN A 193.77.231.46 ;; AUTHORITY SECTION: xtmidwest.com. 180 IN NS ns1.aotheholiday.com. xtmidwest.com. 180 IN NS ns2.aotheholiday.com. xtmidwest.com. 180 IN NS ns3.aotheholiday.com. xtmidwest.com. 180 IN NS ns4.aotheholiday.com. This represents a fast-flux botnet of 8 addresses refreshing every 180 seconds (3 minutes). This hosting is considered "bulletproof" because there is no single Internet Services Provider (ISP) to complain to. The IP addresses are usually hacked or hijacked Windows PC's, or else hijacked Unix servers. Well known spam operations that use hijacked or botnet systems for hosting include: * Canadian Pharmacy * Downloadable Software * US Drugs There are others, primarily from the Spamit / Glavmed series of spamvertised properties. High Risk Merchant Account Providers These are individuals, or (increasingly) companies, who offer precisely what the name implies: credit card merchant accounts which can be attached to commercial activity likely to generate many complaints, or "heat." There are several dozen such organizations around the world. They are usually located outside of North America, and tend to support spammed properties whose main target is citizens of North America. These are notoriously shadowy organizations, and little is known about which specific high-risk merchants are associated with which sponsor organizations. Sponsor Companies or Sponsor Organizations also [[:Category:Spam Sponsoring Companies]] These are the big fish, the ones who profit the most from email spamming. Sponsors are the ones who: * Procure large amounts of product at very low cost. * Set up and maintain accounts with high-risk merchants to process credit card orders on their behalf. * Register thousands of disposable and "bulletproof" domain names - web locations to promote their products. * Find and sign up mailers (spammers) to promote their products. * Assign bulletproof domains to their mailers. * Provide email templates and sometimes website templates for mailers who wish to host their own bulletproof domains. * Often provide bulletproof hosting for the disposable domains. * Often provide Geocities / Google Pages / Blogspot redirectors for use in a mailer's campaigns. * Maintain statistics and reporting for the mailers and affiliates. * Pay out a commission to the mailers and affiliates, in as timely and discreet a fashion as possible. This list shows that the sponsors are the ones who absorb most of the risk in these illegal spam operations. They also profit the most, since they are the ones who procure the product, arrange the shipping, (which can cause its own issues, see below) and employ the mailers to spam to millions of recipients on their behalf, all the while trying to avoid revealing any clear ties to show who is actually behind the spammed products. Web Developers These are individual developers who provide programming services for a wide range of solutions which either sponsors or mailers would require. These include * list deduping, * direct mailing software, * OCR cracking, * captcha cracking, * individual web applications or templates for a specific product. They hire themselves out on a project basis, being paid either by the project or by the hour, and usually display a high level of technical knowledge. Application Developers These are separate and distinct from Web Developers, and focus on writing desktop or server-level applications. These can cover a broad range including some of the above-mentioned projects which Web Developers might also build (in an online format), except these would remain desktop applications. Sometimes they specialize in writing botnets, or botnet command and control infrastructures. Others write Mailers (either direct or botnet-supported.) Others write list management programs, or "forum blasters". The options are limitless. They charge a sliding scale depending on the scope of the project. Designers As with Web Developers, these are individuals who offer design services. These can cover entire websites, or individual banners or email templates. Their numbers are declining. Drop Shipping Providers These are individuals who provide drop-shipping into a distinct territory, or in some cases very specific regions of one territory. (i.e. The Eastern Seaboard of the US.) They provide these services on a one-off basis for large shipments, usually for the shipment and delivery of high-risk products such as Ambien, Vicodin and Hydrocodone, known as controlled substances, or "controlled" in the spammer community. These are highly sought-after products because of the high risk of shipping them illegally to a country with specialized laws or bylaws restricting their shipment. The US, UK and Canada all have strict shipping regulations for these drugs. Drop-shippers for replica watch and handbag products exist but are less prevalent. Clandestine Pill Manufacturers These are independent manufacturers of generic or fake versions of several well-known pharmaceuticals. Many of these exist throughout the world, creating fake / knockoff versions of Viagra and other drugs. Some of these exist in the continental US or Central and South America. High numbers of them are found within China, Taiwan, South Korea, Vietnam, Ukraine, and Romania. A documentary which aired on PBS entitled "Illicit: The Dark Trade" went into quite a bit of detail regarding this topic. http://www.pbs.org/illicit/ Clandestine Fake Watch Manufacturers These are independent manufacturers of knock-off versions of highly coveted designer watches, handbags, sunglasses, and - most recently - shoes. China is still the most frequent source. Proxy pharmacists These are individual pharmacists who may or may not be licensed in their own territory, and are usually unlicensed in any other territory. They act in the capacity of "rubber-stamping" prescriptions on behalf of the sponsor company or sponsor organization. They are paid a high salary for this service. Note that not all spamvertised pharmacies even use a pharmacist of any sort. This process has been widely publicized in documentaries and also in the coverage of the trial of Christopher "Rizler" Smith in 2006. also: [http://www.sophos.com/pressoffice/news/articles/2007/08/rizler.html and http://www.spamsuite.com/book/export/html/195] Category:Registrar Advice Category:Spammer issues